Logon/Logoff Failure Audit - Event 537 in Windows Server 2003

G

Guest

I have a W2k3 RTM member server (2003 domain) running IIS, Microsoft
Operations Manager 2005 and CA Unicenter Automation Point v4 SP3 + HP
Proliant Essentials (compaq support paq) 7.3.

I am seeing event 537 logon failure audits twice per minute in the Secuirty
Log. All the events look the same:

Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000009A
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

There's not a lot to go on. I tried MSKB and EventID and there were no
obvious references. Article 318922 talks about domain controllers and NT4,
and 327889 talks about using local accounts in WinXP but implies that a user
name should be logged as part of the event.

I am not sure if 0xC000009A is related to the error
"STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon shows 19.8 Mb of
Pool Nonpaged Bytes which seems OK compared to my other servers.

Any ideas?

Thanks
- Adam
 
J

Jorge_de_Almeida_Pinto

I have a W2k3 RTM member server (2003 domain) running IIS,
Microsoft
Operations Manager 2005 and CA Unicenter Automation Point v4
SP3 + HP
Proliant Essentials (compaq support paq) 7.3.

I am seeing event 537 logon failure audits twice per minute in
the Secuirty
Log. All the events look the same:

Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000009A
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

There's not a lot to go on. I tried MSKB and EventID and there
were no
obvious references. Article 318922 talks about domain
controllers and NT4,
and 327889 talks about using local accounts in WinXP but
implies that a user
name should be logged as part of the event.

I am not sure if 0xC000009A is related to the error
"STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon
shows 19.8 Mb of
Pool Nonpaged Bytes which seems OK compared to my other
servers.

Any ideas?

Thanks
- Adam

Hi,

See if the following helps
http://www.eventid.net/display.asp?eventid=537&eventno=194&source=Security&phase=1

Cheers,
 
G

Guest

Yeah, already looked there and there was nothing obviously similar. Thanks

- Adam
 
R

Roger Abell

If the info recorded in the message is correct, then it looks for all
the world as if an anonymous access is being attempted (??).
I would suspect one of CA Unicenter Automation Point v4 SP3
or HP Proliant Essentials (compaq support paq) 7.3
with my bets placed on the last one.
Just why this would be specifying/negotiating a Kerberos binding
for the provider is another issue, but I guess this is machine local.

Have you tried narrowing this down by shutting off these
selectively to see if the event message goes away?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top